Address Feedback

aws · Oct 1, 2024 · 21c788f · 21c788f
1 parent ca9d20c
commit 21c788f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 29 deletions.
diff --git a/crypto/s2n_evp_kem.c b/crypto/s2n_evp_kem.c
@@ -22,24 +22,6 @@
 #include "utils/s2n_safety.h"
 #include "utils/s2n_safety_macros.h"
 
-int s2n_evp_kem_stub_generate_keypair(IN const struct s2n_kem *kem, OUT uint8_t *public_key,
-        OUT uint8_t *private_key)
-{
-    POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
-}
-
-int s2n_evp_kem_stub_encapsulate(IN const struct s2n_kem *kem, OUT uint8_t *ciphertext, OUT uint8_t *shared_secret,
-        IN const uint8_t *public_key)
-{
-    POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
-}
-
-int s2n_evp_kem_stub_decapsulate(IN const struct s2n_kem *kem, OUT uint8_t *shared_secret, IN const uint8_t *ciphertext,
-        IN const uint8_t *private_key)
-{
-    POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
-}
-
 #if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_KEM)
 
 DEFINE_POINTER_CLEANUP_FUNC(EVP_PKEY *, EVP_PKEY_free);
@@ -48,6 +30,7 @@ DEFINE_POINTER_CLEANUP_FUNC(EVP_PKEY_CTX *, EVP_PKEY_CTX_free);
 int s2n_evp_kem_generate_keypair(IN const struct s2n_kem *kem, OUT uint8_t *public_key,
         OUT uint8_t *secret_key)
 {
+    POSIX_ENSURE(kem->kem_nid != NID_undef, S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO);
     DEFER_CLEANUP(EVP_PKEY_CTX *kem_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, NULL), EVP_PKEY_CTX_free_pointer);
     POSIX_GUARD_PTR(kem_pkey_ctx);
     POSIX_GUARD_OSSL(EVP_PKEY_CTX_kem_set_params(kem_pkey_ctx, kem->kem_nid), S2N_ERR_PQ_CRYPTO);
@@ -70,6 +53,7 @@ int s2n_evp_kem_generate_keypair(IN const struct s2n_kem *kem, OUT uint8_t *publ
 int s2n_evp_kem_encapsulate(IN const struct s2n_kem *kem, OUT uint8_t *ciphertext, OUT uint8_t *shared_secret,
         IN const uint8_t *public_key)
 {
+    POSIX_ENSURE(kem->kem_nid != NID_undef, S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO);
     DEFER_CLEANUP(EVP_PKEY *kem_pkey = EVP_PKEY_kem_new_raw_public_key(kem->kem_nid, public_key, kem->public_key_length), EVP_PKEY_free_pointer);
     POSIX_GUARD_PTR(kem_pkey);
 
@@ -90,6 +74,7 @@ int s2n_evp_kem_encapsulate(IN const struct s2n_kem *kem, OUT uint8_t *ciphertex
 int s2n_evp_kem_decapsulate(IN const struct s2n_kem *kem, OUT uint8_t *shared_secret, IN const uint8_t *ciphertext,
         IN const uint8_t *private_key)
 {
+    POSIX_ENSURE(kem->kem_nid != NID_undef, S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO);
     DEFER_CLEANUP(EVP_PKEY *kem_pkey = EVP_PKEY_kem_new_raw_secret_key(kem->kem_nid, private_key, kem->private_key_length), EVP_PKEY_free_pointer);
     POSIX_GUARD_PTR(kem_pkey);
 
@@ -110,19 +95,19 @@ int s2n_evp_kem_decapsulate(IN const struct s2n_kem *kem, OUT uint8_t *shared_se
 int s2n_evp_kem_generate_keypair(IN const struct s2n_kem *kem, OUT uint8_t *public_key,
         OUT uint8_t *private_key)
 {
-    return s2n_evp_kem_stub_generate_keypair(kem, public_key, private_key);
+    POSIX_BAIL(S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO);
 }
 
 int s2n_evp_kem_encapsulate(IN const struct s2n_kem *kem, OUT uint8_t *ciphertext, OUT uint8_t *shared_secret,
         IN const uint8_t *public_key)
 {
-    return s2n_evp_kem_stub_encapsulate(kem, ciphertext, shared_secret, public_key);
+    POSIX_BAIL(S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO);
 }
 
 int s2n_evp_kem_decapsulate(IN const struct s2n_kem *kem, OUT uint8_t *shared_secret, IN const uint8_t *ciphertext,
         IN const uint8_t *private_key)
 {
-    return s2n_evp_kem_stub_decapsulate(kem, shared_secret, ciphertext, private_key);
+    POSIX_BAIL(S2N_ERR_API_UNSUPPORTED_BY_LIBCRYPTO);
 }
 
 #endif
diff --git a/tests/unit/s2n_kem_preferences_test.c b/tests/unit/s2n_kem_preferences_test.c
@@ -58,17 +58,15 @@ int main(int argc, char **argv)
 
         if (s2n_libcrypto_supports_evp_kem()) {
             EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp256r1_kyber_512_r3));
-            if (s2n_is_evp_apis_supported()) {
-                EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3));
-            } else {
-                EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3));
-            }
             EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp256r1_kyber_768_r3));
             EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp384r1_kyber_768_r3));
             EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp521r1_kyber_1024_r3));
-            if (s2n_libcrypto_supports_evp_kem() && s2n_is_evp_apis_supported()) {
+
+            if (s2n_is_evp_apis_supported()) {
+                EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3));
                 EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_kyber_768_r3));
             } else {
+                EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3));
                 EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_768_r3));
             }
         } else {

diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c
@@ -207,8 +207,6 @@ int main(int argc, char **argv)
             EXPECT_EQUAL(6, available_groups);
         } else if (s2n_libcrypto_supports_evp_kem() && !s2n_is_evp_apis_supported()) {
             EXPECT_EQUAL(4, available_groups);
-        } else if (!s2n_libcrypto_supports_evp_kem() && s2n_is_evp_apis_supported()) {
-            EXPECT_EQUAL(0, available_groups);
         } else {
             EXPECT_EQUAL(0, available_groups);
         }